~n

update: never mind… replaced it with wireguard. \o/

is there any sane way to do ike+xauth with user/pass and psk on openbsd 7.8?

(iphone roadwarrior config, due to app constraints ikev2 is not an option, that would be easy…)

Feb 18 at 11:45amWeb
Show threadHannes DeekenFeb 19
@nblr how did you do user/pass on top of wireguard? (assuming you did 😉)
Show thread~nFeb 19
@Glenlivet There’s no user/pass in wg.
But in did a “pass in quick” on pf.
So technically it counts as two factor 🤓
Imfosec is my passion.
Show threadHannes DeekenFeb 19

@nblr I knew that there is nothing integral regarding user/pass to wg as opposed to e.g. openvpn, that's why I was asking 😉

How does 'pass in quick' provide a 2nd factor?

Show thread~nFeb 19
@Glenlivet I was trying to match your humor.
It was not a good match. 🙃
Show threadHannes DeekenFeb 19
@nblr oh, ok then 😁
Show thread~nFeb 19
@Glenlivet On a more serious note… This was a point-to-point connection with one user. Else I wouldn't have used it. xauth is a very sorry bolted-on band-aid and relying on a single psk for all users is… uhm… "not good practice". I was not aware that the other end supported wg by now, so I happily could ditch that legacy junk.
Show threadHannes DeekenFeb 19
@nblr I can totally relate.
Show threadGötz SalzmannMar 1
@nblr why is IKEv2 not an option?
Show thread~nMar 1
@gtz42 Because the other side is shyte. In the recent days they saw the light and deprecated the ipsec option urging users to just use wireguard instead of ipsec within the app, latter just offered this:
Show thread~nMar 1
@gtz42 Sadly, the in-app ipsec support was pretty convenient while wireguard - as smooth as it sails - means that a manual step is needed every time I want to use the app on the go.